This chapter describes the users, groups user environment and management environment settings to complete before you install Oracle Grid Infrastructure for a Cluster and Oracle Real Application Clusters.
This chapter contains the following topics:
Creating Groups, Users and Paths for Oracle Grid Infrastructure
Configuring Grid Infrastructure Software Owner User Environments
Log in as root, and use the following instructions to locate or create the Oracle Inventory group and a software owner for Oracle Grid Infrastructure.
Determining If the Oracle Inventory and Oracle Inventory Group Exists
Creating the Oracle Inventory Group If an Oracle Inventory Does Not Exist
About Job Role Separation Operating System Privileges Groups and Users
Note:
During an Oracle Grid Infrastructure installation, both Oracle Clusterware and Oracle Automatic Storage Management are installed. You no longer can have separate Oracle Clusterware installation owners and Oracle Automatic Storage Management installation owners.When you install Oracle software on the system for the first time, OUI creates the oraInst.loc file. This file identifies the name of the Oracle Inventory group (by default, oinstall), and the path of the Oracle Central Inventory directory. An oraInst.loc file has contents similar to the following:
inventory_loc=central_inventory_location inst_group=group
In the preceding example, central_inventory_location is the location of the Oracle central inventory, and group is the name of the group that has permissions to write to the central inventory (the OINSTALL group privilege).
For Oracle Grid Infrastructure installations, the central inventory must be on local storage on the node.
If you have an existing Oracle central inventory, then ensure that you use the same Oracle Inventory for all Oracle software installations, and ensure that all Oracle software users you intend to use for installation have permissions to write to this directory.
To determine if you have an Oracle Inventory on your system:
# more /var/opt/oracle/oraInst.loc
If the oraInst.loc file exists, then the output from this command is similar to the following:
inventory_loc=/u01/app/oracle/oraInventory inst_group=oinstall
In the previous output example:
The inventory_loc group shows the location of the Oracle Inventory
The inst_group parameter shows the name of the Oracle Inventory group (in this example, oinstall).
Ensure that Oracle Inventory group members are granted the HP-UX privileges RTPRIO, MLOCK, and RTSCHED. For example:
# /usr/bin/getprivgrp oinstall oinstall: RTPRIO MLOCK RTSCHED
If the group is not granted these privileges, then add these privileges as described in the next section.
If the oraInst.loc file does not exist, then complete the following tasks:
Create the Oracle Inventory group by entering a command similar to the following:
# /usr/sbin/groupadd -g 1000 oinstall
The preceding command creates the oraInventory group oinstall, with the group ID number 1000. Members of the oraInventory group are granted privileges to write to the Oracle central inventory (oraInventory).
By default, if an oraInventory group does not exist, then the installer lists the primary group of the installation owner for the Oracle Grid Infrastructure for a Cluster software as the oraInventory group. Ensure that this group is available as a primary group for all planned Oracle software installation owners.
Note:
Group and user IDs must be identical on all nodes in the cluster. Check to make sure that the group and user IDs you want to use are available on each cluster member node, and confirm that the primary group for each Oracle Grid Infrastructure for a Cluster installation owner has the same name and group ID.If it does not already exist, create the /etc/privgroup file. Add a line similar to the following to grant Oracle installation owners the RTPRIO, MLOCK, and RTSCHED privileges:
oinstall RTPRIO MLOCK RTSCHED
If /etc/privgroup exists, then add these privileges to the Oracle Inventory group. For example:
# /usr/sbin/setprivgrp oinstall RTPRIO MLOCK RTSCHED
Confirm the grant of privileges to the group. For example:
# /usr/bin/getprivgrp oinstall oinstall: RTPRIO MLOCK RTSCHED
Repeat this procedure on all of the other nodes in the cluster.
You must create a software owner for Oracle Clusterware in the following circumstances:
If an Oracle software owner user does not exist; for example, if this is the first installation of Oracle software on the system
If an Oracle software owner user exists, but you want to use a different operating system user, with different group membership, to separate Oracle Grid Infrastructure administrative privileges from Oracle Database administrative privileges.
In Oracle documentation, a user created to own only Oracle Grid Infrastructure software installations is called the grid user. A user created to own either all Oracle installations, or only Oracle database installations, is called the oracle user.
Review the following restrictions for users created to own Oracle software:
If you intend to use multiple Oracle software owners for different Oracle Database homes, then Oracle recommends that you create a separate software owner for Oracle Grid Infrastructure software (Oracle Clusterware and Oracle ASM), and use that owner to run the Oracle Grid Infrastructure installation.
During installation, SSH must be set up between cluster member nodes. SSH can be set up automatically by Oracle Universal Installer (the installer). To enable SSH to be set up automatically, create Oracle installation owners without any stty commands in their profiles, and remove other security measures that are triggered during a login that generate messages to the terminal. These messages, mail checks, and other displays prevent Oracle software installation owner accounts from using the SSH configuration script that is built into the installer. If they are not disabled, then SSH must be configured manually before an installation can be run.
If you plan to install Oracle Database or Oracle RAC, then Oracle recommends that you create separate users for the Oracle Grid Infrastructure and the Oracle Database installations. If you use one installation owner, then when you want to perform administration tasks, you must change the value for $ORACLE_HOME to the instance you want to administer (Oracle ASM, in the Oracle Grid Infrastructure home, or the database in the Oracle home), using command syntax such as the following example, where /u01/app/12.1.0/grid is the Oracle Grid Infrastructure home:
$ ORACLE_HOME=/u01/app/12.1.0/grid; export ORACLE_HOME
If you try to administer an Oracle home or Grid home instance using sqlplus, lsnrctl, or asmcmd commands while the environment variable $ORACLE_HOME is set to a different Oracle home or Grid home path, then you encounter errors. For example, when you start SRVCTL from a database home, $ORACLE_HOME should be set to that database home, or SRVCTL fails. The exception is when you are using SRVCTL in the Oracle Grid Infrastructure home. In that case, $ORACLE_HOME is ignored, and the Oracle home environment variable does not affect SRVCTL commands. In all other cases, you must change $ORACLE_HOME to the instance that you want to administer.
To create separate Oracle software owners and separate operating system privileges groups for different Oracle software installations, note that each of these users must have the Oracle central inventory group (oraInventory group) as their primary group. Members of this group are granted the OINSTALL system privileges to write to the Oracle central inventory (oraInventory) directory, and are also granted permissions for various Oracle Clusterware resources, OCR keys, directories in the Oracle Clusterware home to which DBAs need write access, and other necessary privileges. In Oracle documentation, this group is represented as oinstall in code examples.
Each Oracle software owner must be a member of the same central inventory oraInventory group, and they must have this group as their primary group, so that all Oracle software installation owners share the same OINSTALL system privileges. Oracle recommends that you do not have more than one central inventory for Oracle installations. If an Oracle software owner has a different central inventory group, then you may corrupt the central inventory.
To determine whether an Oracle software owner user named oracle or grid exists, enter a command similar to the following (in this case, to determine if oracle exists):
# id oracle
If the user exists, then the output from this command is similar to the following:
uid=501(oracle) gid=501(oinstall) groups=502(dba),503(oper)
Determine whether you want to use the existing user, or create another user. The user and group ID numbers must be the same on each node you intend to make a cluster member node.
To use the existing user, ensure that the user's primary group is the Oracle Inventory group (oinstall).
If the Oracle software owner (oracle, grid) user does not exist, or if you require a new Oracle software owner user, then create it. If you want to use an existing user account, then modify it to ensure that the user ID and group IDs are the same on each cluster member node.
Oracle recommends that you do not use the defaults on each node, because UIDs and GIDs assigned by default are likely to be different on each node. Instead, determine specifically named and numbered UIDs and GIDs, and confirm that they are unused on any node before you create or modify groups and users. Oracle strongly recommends that you confirm that you have identical user configuration on each node you intend to make a cluster member node before you start installation, and that the UID and GIDs do not need to be changed. If you need to change UIDs and GIDs for Oracle software users and groups, then you must reinstall the software.
Oracle does not support changing the UID or GID or group memberships for a user account that you have previously used to install and configure Oracle RAC or Oracle Grid Infrastructure. Oracle does not support changing the ownership of an existing Oracle Database home from one Oracle user to a different user.
If you must modify an existing Grid installation owner after previously installing Oracle Grid Infrastructure (for example, if you want to modify an existing Oracle Database user account before you install Oracle RAC, to distinguish between the Oracle Grid Infrastructure owner and the Oracle RAC Oracle Database owner user accounts), then you must stop and start Oracle Clusterware on each node (in a rolling fashion) to pick up the changes made to the user account that owns Oracle Grid Infrastructure.
The following procedures use grid as the name of the Oracle software owner, and asmadmin as the OSASM group. To create separate system privilege groups to separate administration privileges, complete group creation before you create the user, as described in Section 5.1.7, "About Job Role Separation Operating System Privileges Groups and Users,".
To create a grid installation owner account where you have an existing system privileges group (in this example, dba), whose members you want to have granted the SYSASM privilege to administer the Oracle ASM instance, enter a command similar to the following:
# /usr/sbin/useradd -u 1100 -g oinstall -G dba grid
In the preceding command:
The -u option specifies the user ID. Using this command flag is optional, as you can allow the system to provide you with an automatically generated user ID number. However, you must make note of the user ID number of the user you create for Oracle Grid Infrastructure, as you require it later during preinstallation, and you must have the same user ID number for this user on all nodes of the cluster.
The -g option specifies the primary group, which must be the Oracle Inventory group. For example: oinstall.
The -G option specified the secondary group, which in this example is dba.
The secondary groups must include the OSASM group, whose members are granted the SYSASM privilege to administer the Oracle ASM instance. You can designate a unique group for the SYSASM system privileges, separate from database administrator groups, or you can designate one group as the OSASM and OSDBA group, so that members of that group are granted the SYSASM and SYSDBA privileges to grant system privileges to administer both the Oracle ASM instances and Oracle Database instances. In code examples, this group is asmadmin.
If you are creating this user to own both Oracle Grid Infrastructure and an Oracle Database installation, then this user must have the OSDBA for ASM group as a secondary group. In code examples, this group name is asmdba. Members of the OSDBA for ASM group are granted access to Oracle ASM storage. You must create an OSDBA for ASM group if you plan to have multiple databases accessing Oracle ASM storage, or you must use the same group as the OSDBA for all databases, and for the OSDBA for ASM group.
Use the usermod command to change existing user id numbers and groups.
For example:
# id oracle uid=501(oracle) gid=501(oracle) groups=501(oracle) # /usr/sbin/usermod -u 1001 -g 1000 -G 1000,1001 oracle # id oracle uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1001(oracle)
Set the password of the user that will own Oracle Grid Infrastructure. For example:
# passwd grid
Repeat this procedure on all of the other nodes in the cluster.
Note:
If necessary, contact your system administrator before using or modifying an existing user.The Oracle base directory for the Oracle Grid Infrastructure installation is the location where diagnostic and administrative logs, and other logs associated with Oracle ASM and Oracle Clusterware are stored. For Oracle installations other than Oracle Grid Infrastructure for a cluster, it is also the location under which an Oracle home is placed.
However, in the case of an Oracle Grid Infrastructure installation, you must create a different path, so that the path for Oracle bases remains available for other Oracle installations.
For OUI to recognize the Oracle base path, it must be in the form u[00-99][00-99]/app, and it must be writable by any member of the oraInventory (oinstall) group. The OFA path for the Oracle base is u[00-99][00-99]/app/user, where user is the name of the software installation owner. For example:
/u01/app/grid
The Oracle home for Oracle Grid Infrastructure software (Grid home) should be located in a path that is different from the Oracle home directory paths for any other Oracle software. The Optimal Flexible Architecture guideline for a Grid home is to create a path in the form /pm/v/u, where /p is a string constant, /m is a unique fixed-length key (typically a two-digit number), /v is the version of the software, and /u is the installation owner of the Oracle Grid Infrastructure software (Grid user). During Oracle Grid Infrastructure for a cluster installation, the path of the Grid home is changed to the root user, so any other users are unable to read, write, or execute commands in that path.
For example, to create a Grid home in the standard mount point path format u[00-99][00-99]/app/release/grid, where release is the release number of the Oracle Grid Infrastructure software, create the following path:
/u01/app/12.1.0/grid
During installation, ownership of the entire path to the Grid home is changed to root. (/u01, /u01/app, /u01/app/12.1.0, /u01/app/12.1.0/grid). If you do not create a unique path to the Grid home, then after the Grid install, you can encounter permission errors for other installations, including any existing installations under the same path.
To avoid placing the application directory in the mount point under root ownership, you can create and select paths such as the following for the Grid home:
/u01/12.1.0/grid
Caution:
For Oracle Grid Infrastructure for a cluster installations, note the following restrictions for the Oracle Grid Infrastructure binary home (Grid home directory for Oracle Grid Infrastructure):It must not be placed under one of the Oracle base directories, including the Oracle base directory of the Oracle Grid Infrastructure installation owner.
It must not be placed in the home directory of an installation owner.
These requirements are specific to Oracle Grid Infrastructure for a cluster installations. Oracle Grid Infrastructure for a standalone server (Oracle Restart) can be installed under the Oracle base for the Oracle Database installation.
See Also:
Oracle Database Installation Guide for details about Optimal Flexible Architecture (OFA) guidelinesOracle recommends that you create Oracle Grid Infrastructure Grid home and Oracle base homes manually, particularly if you have separate Oracle Grid Infrastructure for a cluster and Oracle Database software owners, so that you can separate log files for the Oracle Grid Infrastructure installation owner in a separate Oracle base, and prevent accidental placement of the Grid home under an Oracle base path.
For example:
# mkdir -p /u01/app/12.1.0/grid # mkdir -p /u01/app/grid # mkdir -p /u01/app/oracle # chown -R grid:oinstall /u01 # chown oracle:oinstall /u01/app/oracle # chmod -R 775 /u01/
See Also:
Appendix D, "Oracle Grid Infrastructure for a Cluster Installation Concepts" for more details about Oracle base and Oracle home directoriesA job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.
With Oracle Database job role separation, each Oracle Database installation has separate operating system groups to provide authentication for system privileges on that Oracle Database, so multiple databases can be installed on the cluster without sharing operating system authentication for system privileges. In addition, each Oracle software installation is owned by a separate installation owner, to provide operating system user authentication for modifications to Oracle Database binaries.
With Oracle Grid Infrastructure job role separation, Oracle ASM has separate operating system groups that provides operating system authentication for Oracle ASM system privileges for storage tier administration. This operating system authentication is separated from Oracle Database operating system authentication. In addition, the Oracle Grid Infrastructure installation owner provides operating system user authentication for modifications to Oracle Grid Infrastructure binaries.
During the Oracle Database installation, Oracle Universal Installer (OUI) prompts you to specify the name of the OSDBA, OSOPER, OSBACKUPDBA, OSDGDBA and OSKMDBA groups. Members of these groups are granted operating system authentication for the set of database system privileges each group authorizes. Oracle recommends that you create different operating system groups for each set of system privileges.
Note:
This configuration is optional, to restrict user access to Oracle software by responsibility areas for different administrator users.You can choose to create one administrative user and one group for operating system authentication for all system privileges on the storage and database tiers.
For example, you can designate the oracle user to be the installation owner for all Oracle software, and designate oinstall to be the group whose members are granted all system privileges for Oracle Clusterware; all system privileges for Oracle ASM; all system privileges for all Oracle Databases on the servers; and all OINSTALL system privileges for installation owners. This group must also be the Oracle Inventory group.
If you do not want to use role allocation groups, then Oracle strongly recommends that you use at least two groups:
A system privileges group whose members are granted administrative system privileges, including OSDBA, OSASM, and other system privileges groups.
An installation owner group (the oraInventory group) whose members are granted Oracle installation owner system privileges (the OINSTALL system privilege).
To simplify using the defaults for Oracle tools such as Cluster Verification Utility, if you do choose to use a single operating system group to grant all system privileges and the right to write to the oraInventory, then that group name should be oinstall.
Note:
To configure users for installation that are on a network directory service such as Network Information Services (NIS), refer to your directory service documentation.See Also:
Oracle Database Administrator's Guide for more information about planning for system privileges authentication
Oracle Database Storage Administrator's Guide for more information about Oracle ASM operating system authentication
This section provides an overview of how to create users and groups to use job role separation. Log in as root to create these groups and users.
Oracle recommends that you create the following operating system groups and users for all installations where you create separate software installation owners:
One software owner to own each Oracle software product (typically, oracle, for the database software owner user, and grid for Oracle Grid Infrastructure.
You must create at least one software owner the first time you install Oracle software on the system. This user owns the Oracle binaries of the Oracle Grid Infrastructure software, and you can also make this user the owner of the Oracle Database or Oracle RAC binaries.
Oracle software owners must have the Oracle Inventory group as their primary group, so that each Oracle software installation owner can write to the central inventory (oraInventory), and so that OCR and Oracle Clusterware resource permissions are set correctly. The database software owner must also have the OSDBA group and (if you create it) the OSOPER group as secondary groups. In Oracle documentation, when Oracle software owner users are referred to, they are called oracle users.
Oracle recommends that you create separate software owner users to own each Oracle software installation. Oracle particularly recommends that you do this if you intend to install multiple databases on the system.
In Oracle documentation, a user created to own the Oracle Grid Infrastructure binaries is called the grid user. This user owns both the Oracle Clusterware and Oracle Automatic Storage Management binaries.
See Also:
Oracle Clusterware Administration and Deployment Guide and Oracle Database Administrator's Guide for more information about the OSDBA, OSASM and OSOPER groups and theSYSDBA, SYSASM and SYSOPER privilegesThe following operating system groups and user are required if you are installing Oracle Database:
The OSDBA group (typically, dba)
You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). If you do not create separate OSDBA, OSOPER and OSASM groups for the Oracle ASM instance, then operating system user accounts that have the SYSOPER and SYSASM privileges must be members of this group. The name used for this group in Oracle code examples is dba. If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also by default the OSASM group.
To specify a group name other than the default dba group, then you must choose the Advanced installation type to install the software or start Oracle Universal Installer (OUI) as a user that is not a member of this group. In this case, OUI prompts you to specify the name of this group.
Members of the OSDBA group formerly were granted SYSASM privileges on Oracle ASM instances, including mounting and dismounting disk groups. This privileges grant is removed with Oracle Grid Infrastructure 11g release 2 (11.2), if different operating system groups are designated as the OSDBA and OSASM groups. If the same group is used for both OSDBA and OSASM, then the privilege is retained.
The OSOPER group for Oracle Database (typically, oper)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges (the SYSOPER privilege). By default, members of the OSDBA group also have all privileges granted by the SYSOPER privilege.
To use the OSOPER group to create a database administrator group with fewer privileges than the default dba group, then you must choose the Advanced installation type to install the software or start OUI as a user that is not a member of the dba group. In this case, OUI prompts you to specify the name of this group. The usual name chosen for this group is oper.
SYSASM is a new system privilege that enables the separation of the Oracle ASM storage administration privilege from SYSDBA. With Oracle Automatic Storage Management 11g release 2 (11.2), members of the database OSDBA group are not granted SYSASM privileges, unless the operating system group designated as the OSASM group is the same group designated as the OSDBA group.
Select separate operating system groups as the operating system authentication groups for privileges on Oracle ASM. Before you start OUI, create the following groups and users for Oracle ASM
The Oracle Automatic Storage Management Group (typically asmadmin)
This is a required group. Create this group as a separate group if you want to have separate administration privilege groups for Oracle ASM and Oracle Database administrators. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group, and in code examples, where there is a group specifically created to grant this privilege, it is referred to as asmadmin.
If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a separate OSASM group, and use a separate user from the database users to own the Oracle Grid Infrastructure installation (Oracle Clusterware and Oracle ASM). Oracle ASM can support multiple databases.
Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM privileges permit mounting and dismounting disk groups, and other storage administration tasks. SYSASM privileges provide no access privileges on an RDBMS instance.
The Oracle ASM Database Administrator group (OSDBA for ASM, typically asmdba)
Members of the Oracle ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM. The Oracle Grid Infrastructure installation owner and all Oracle Database software owners must be a member of this group, and all users with OSDBA membership on databases that have access to the files managed by Oracle ASM must be members of the OSDBA group for ASM.
Members of the Oracle ASM Operator Group (OSOPER for ASM, typically asmoper)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges (the SYSOPER for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.
To use the Oracle ASM Operator group to create an Oracle ASM administrator group with fewer privileges than the default asmadmin group, then you must choose the Advanced installation type to install the software, In this case, OUI prompts you to specify the name of this group. In code examples, this group is asmoper.
This section contains the following topics:
Oracle recommends that you create one software owner to own each Oracle software product (typically, oracle, for the database software owner user, and grid for Oracle Grid Infrastructure).
You must create at least one software owner the first time you install Oracle software on the system. This user owns the Oracle binaries of the Oracle Grid Infrastructure software, and you can also make this user the owner of the Oracle Database or Oracle RAC binaries.
Oracle software owners must have the Oracle Inventory group as their primary group, so that each Oracle software installation owner can write to the central inventory (oraInventory), and so that OCR and Oracle Clusterware resource permissions are set correctly. The database software owner must also have the OSDBA group and (if you create them) the OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups as secondary groups. In Oracle documentation, when Oracle software owner users are referred to, they are called oracle users.
Oracle recommends that you create separate software owner users to own each Oracle software installation. Oracle particularly recommends that you do this if you intend to install multiple databases on the system.
In Oracle documentation, a user created to own the Oracle Grid Infrastructure binaries is called the grid user. This user owns both the Oracle Clusterware and Oracle Automatic Storage Management binaries.
See Also:
Oracle Database Storage Administrator's Guide and Oracle Database Administrator's Guide for more information about operating system groups and system privileges authenticationThe following is a list of standard Oracle Database groups. These groups provide operating system authentication for database administration system privileges:
You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). If you do not create separate OSDBA, OSOPER and OSASM groups for the Oracle ASM instance, then operating system user accounts that have the SYSOPER and SYSASM privileges must be members of this group. The name used for this group in Oracle code examples is dba. If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also by default the OSASM group.
To specify a group name other than the default dba group, you must either choose the Advanced installation type to install the software, or you start Oracle Universal Installer (OUI) as a user that is not a member of this group. If you start OUI with a user that is not a member of a group called dba, then OUI prompts you to specify the name of the OSDBA group.
Members of the OSDBA group formerly were granted SYSASM privilege on Oracle ASM instances, including mounting and dismounting disk groups. This privileges grant is removed with Oracle Grid Infrastructure 11g Release 2 (11.2), if different operating system groups are designated as the OSDBA and OSASM groups. If the same group is used for both OSDBA and OSASM, then the privileges are retained.
OSOPER group for Oracle Database (typically, oper)
You can choose to create this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database (the SYSOPER privilege).
Starting with Oracle Database 12c Release 1 (12.1), in addition to the OSOPER privileges to start up and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the OSDBA/SYSDBA system privileges to support specific administrative privileges tasks required for everyday database operation Users granted these system privileges are also authenticated through operating system group membership.
You do not have to create these specific group names, but during installation you are prompted to provide operating system groups whose members are granted access to these system privileges. You can assign the same group to provide authentication for these privileges, but Oracle recommends that you provide a unique group to designate each privilege.
The OSDBA subset job role separation privileges and groups consist of the following:
OSBACKUPDBA group for Oracle Database (typically, backupdba)
Create this group if you want a separate group of operating system users to have a limited set of database backup and recovery related administrative privileges (the SYSBACKUP privilege).
OSDGDBA group for Oracle Data Guard (typically, dgdba)
Create this group if you want a separate group of operating system users to have a limited set of privileges to administer and monitor Oracle Data Guard (the SYSDG privilege).
OSKMDBA group for encryption key management (typically, kmdba)
Create this group if you want a separate group of operating sytem users to have a limited set of privileges for encryption key management such as Oracle Wallet Manager management (the SYSKM privilege).
The SYSASM, SYSOPER for ASM, and SYSDBA for ASM system privileges enables the separation of the Oracle ASM storage administration privileges from SYSDBA. Members of operating systems you designate are granted the system privileges for these roles. Select separate operating system groups as the operating system authentication groups for privileges on Oracle ASM.
Before you start OUI, create the following OS groups and users for Oracle ASM, whose members are granted the corresponding SYS privileges:
OSASM Group for Oracle ASM Administration (typically asmadmin)
Create this group as a separate group if you want to have separate administration privileges groups for Oracle ASM and Oracle Database administrators. Members of this group are granted the SYSASM system privileges to administer Oracle ASM. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group, and in code examples, where there is a group specifically created to grant this privilege, it is referred to as asmadmin.
Oracle ASM can support multiple databases. If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a group whose members are granted the OSASM/SYSASM administrative privileges, and create a grid infrastructure user (grid) that does not own a database installation, so that you separate Oracle Grid Infrastructure SYSASM administrative privileges from a database administrative privileges group.
Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM privileges permit mounting and dismounting disk groups, and other storage administration tasks. SYSASM privileges provide no access privileges on an RDBMS instance.
OSDBA for ASM Database Administrator group for ASM, typically asmdba)
Members of the ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM. The Oracle Grid Infrastructure installation owner and all Oracle Database software owners must be a member of this group, and all users with OSDBA membership on databases that have access to the files managed by Oracle ASM must be members of the OSDBA group for ASM.
OSOPER for ASM Group for ASM Operators (OSOPER for ASM, typically asmoper)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges (the SYSOPER for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.
To use the Oracle ASM Operator group to create an Oracle ASM administrator group with fewer privileges than the default asmadmin group, then you must choose the Advanced installation type to install the software, In this case, OUI prompts you to specify the name of this group. In code examples, this group is asmoper.
The following sections describe how to create the required operating system user and group for Oracle Grid Infrastructure and Oracle Database:
Creating the OSDBA Group to Prepare for Database Installations
Creating the OSDBA for ASM Group for Database Access to Oracle ASM
Creating Identical Database Users and Groups on Other Cluster Nodes
If you intend to install Oracle Database to use with the Oracle Grid Infrastructure installation, then you must create an OSDBA group in the following circumstances:
An OSDBA group does not exist; for example, if this is the first installation of Oracle Database software on the system
An OSDBA group exists, but you want to give a different group of operating system users database administrative privileges for a new Oracle Database installation
If the OSDBA group does not exist, or if you require a new OSDBA group, then create it as follows. Use the group name dba unless a group with that name already exists:
# /usr/sbin/groupadd -g 1031 dba
Create an OSOPER group only if you want to identify a group of operating system users with a limited set of database administrative privileges (SYSOPER operator privileges). For most installations, it is sufficient to create only the OSDBA group. To use an OSOPER group, then you must create it in the following circumstances:
If an OSOPER group does not exist; for example, if this is the first installation of Oracle Database software on the system
If an OSOPER group exists, but you want to give a different group of operating system users database operator privileges in a new Oracle installation
If you require a new OSOPER group, then create it as follows. Use the group name oper unless a group with that name already exists.
# /usr/sbin/groupadd -g 1032 oper1
If the OSASM group does not exist or if you require a new OSASM group, then create it as follows. Use the group name asmadmin unless a group with that name already exists:
# /usr/sbin/groupadd -g 1020 asmadmin
Create an OSOPER for ASM group if you want to identify a group of operating system users, such as database administrators, whom you want to grant a limited set of Oracle ASM storage tier administrative privileges, including the ability to start up and shut down the Oracle ASM storage. For most installations, it is sufficient to create only the OSASM group, and provide that group as the OSOPER for ASM group during the installation interview.
If you require a new OSOPER for ASM group, then create it as follows. In the following, use the group name asmoper unless a group with that name already exists:
# /usr/sbin/groupadd -g 1022 asmoper
You must create an OSDBA for ASM group to provide access to the Oracle ASM instance. This is necessary if OSASM and OSDBA are different groups.
If the OSDBA for ASM group does not exist or if you require a new OSDBA for ASM group, then create it as follows. Use the group name asmdba unless a group with that name already exists:
# /usr/sbin/groupadd -g 1021 asmdba
This section contains information about the Oracle software owner user, which is typically the user that owns Oracle Database or other Oracle application software. This section contains the following topics:
You must create an Oracle software owner user in the following circumstances:
If an Oracle software owner user exists, but you want to use a different operating system user, with different group membership, to give database administrative privileges to those groups in a new Oracle Database installation
If you have created an Oracle software owner for Oracle Grid Infrastructure, such as grid, and you want to create a separate Oracle software owner for Oracle Database software, such as oracle.
To determine whether an Oracle software owner user named oracle or grid exists, enter a command similar to the following (in this case, to determine if oracle exists):
# id oracle
If the user exists, then the output from this command is similar to the following:
uid=501(oracle) gid=501(oinstall) groups=502(dba),503(oper)
Determine whether you want to use the existing user, or create another user. To use the existing user, ensure that the user's primary group is the Oracle Inventory group and that it is a member of the appropriate OSDBA and OSOPER groups. Refer to the following sections for more information:
To modify an existing user, refer to Section 5.1.9.6.4, "Modifying an Existing Oracle Software Owner User,".
To create a user, refer to the following section.
Note:
If necessary, contact your system administrator before using or modifying an existing user.Oracle recommends that you do not use the UID and GID defaults on each node, as group and user IDs likely will be different on each node. Instead, provide common assigned group and user IDs, and confirm that they are unused on any node before you create or modify groups and users.
If the Oracle software owner user does not exist, or if you require a new Oracle software owner user, then create it as follows. Use the user name oracle unless a user with that name already exists.
To create an oracle user, enter a command similar to the following:
# /usr/sbin/useradd -u 1101 -g oinstall -G dba,asmdba oracle
In the preceding command:
The -u option specifies the user ID. Using this command flag is optional, as you can allow the system to provide you with an automatically generated user ID number. However, you must make note of the oracle user ID number, as you require it later during preinstallation.
The -g option specifies the primary group, which must be the Oracle Inventory group--for example, oinstall
The -G option specifies the secondary groups, which must include the OSDBA group, the OSDBA for ASM group, and, if required, the OSOPER for ASM group. For example: dba, asmdba, or dba, asmdba, asmoper
Set the password of the oracle user:
# passwd oracle
If the oracle user exists, but its primary group is not oinstall, or it is not a member of the appropriate OSDBA or OSDBA for ASM groups, then enter a command similar to the following to modify it. Specify the primary group using the -g option and any required secondary group using the -G option:
# /usr/sbin/usermod -g oinstall -G dba,asmdba oracle
Repeat this procedure on all of the other nodes in the cluster.
Oracle software owner users and the Oracle Inventory, OSDBA, and OSOPER groups must exist and be identical on all cluster nodes. To create these identical users and groups, you must identify the user ID and group IDs assigned them on the node where you created them, and then create the user and groups with the same name and ID on the other cluster nodes.
Note:
You must complete the following procedures only if you are using local users and groups. If you are using users and groups defined in a directory service such as NIS, then they are already identical on each cluster node.Identifying Existing User and Group IDs
To determine the user ID (uid) of the grid or oracle users, and the group IDs (gid) of the existing Oracle groups, follow these steps:
Enter a command similar to the following (in this case, to determine a user ID for the oracle user):
# id oracle
The output from this command is similar to the following:
uid=502(oracle) gid=501(oinstall) groups=502(dba),503(oper),506(asmdba)
From the output, identify the user ID (uid) for the user and the group identities (gid) for the groups to which it belongs. Ensure that these ID numbers are identical on each node of the cluster. The user's primary group is listed after gid. Secondary groups are listed after groups.
Creating Users and Groups on the Other Cluster Nodes
To create users and groups on the other cluster nodes, repeat the following procedure on each node:
Log in to the next cluster node as root.
Enter commands similar to the following to create the oinstall, asmadmin, and asmdba groups, and if required, the asmoper, dba, and oper groups. Use the -g option to specify the correct gid for each group.
# /usr/sbin/groupadd -g 1000 oinstall # /usr/sbin/groupadd -g 1020 asmadmin # /usr/sbin/groupadd -g 1021 asmdba # /usr/sbin/groupadd -g 1022 asmoper # /usr/sbin/groupadd -g 1031 dba # /usr/sbin/groupadd -g 1032 oper
Note:
If the group already exists, then use thegroupmod command to modify it if necessary. If you cannot use the same group ID for a particular group on this node, then view the /etc/group file on all nodes to identify a group ID that is available on every node. You must then change the group ID on all nodes to the same group ID.To create the oracle or Oracle Grid Infrastructure (grid) user, enter a command similar to the following (in this example, to create the oracle user):
# /usr/sbin/useradd -u 1101 -g oinstall -G asmdba,dba oracle
In the preceding command:
The -u option specifies the user ID, which must be the user ID that you identified in the previous subsection
The -g option specifies the primary group, which must be the Oracle Inventory group, for example oinstall
The -G option specifies the secondary groups, which can include the OSASM, OSDBA, OSDBA for ASM, and OSOPER or OSOPER for ASM groups. For example:
A grid installation owner: OSASM (asmadmin), whose members are granted the SYSASM privilege.
An Oracle Database installation owner without SYSASM privileges access: OSDBA (dba), OSDBA for ASM (asmdba), OSOPER for ASM (asmoper).
Note:
If the user already exists, then use theusermod command to modify it if necessary. If you cannot use the same user ID for the user on every node, then view the /etc/passwd file on all nodes to identify a user ID that is available on every node. You must then specify that ID for the user on all of the nodes.Set the password of the user. For example:
# passwd oracle
Complete user environment configuration tasks for each user as described in the section Configuring Grid Infrastructure Software Owner User Environments.
This configuration example shows the following:
Creation of the Oracle Inventory group (oinstall)
Creation of a single group (dba) as the only system privileges group to assign for all Oracle Grid Infrastructure, Oracle ASM, and Oracle Database system privileges
Creation of the Oracle Grid Infrastructure software owner (grid), and one Oracle Database owner (oracle) with correct group memberships
Creation and configuration of an Oracle base path compliant with OFA structure with correct permissions
Enter the following commands to create a minimal operating system authentication configuration:
# groupadd -g 1000 oinstall # groupadd -g 1031 dba # useradd -u 1100 -g oinstall -G dba grid # useradd -u 1101 -g oinstall -G dba oracle # mkdir -p /u01/app/11.2.0/grid # mkdir -p /u01/app/grid # chown -R grid:oinstall /u01 # mkdir /u01/app/oracle # chown oracle:oinstall /u01/app/oracle # chmod -R 775 /u01/
After running these commands, you have the following groups and users:
An Oracle central inventory group, or oraInventory group (oinstall). Members who have the central inventory group as their primary group, are granted the OINSTALL permission to write to the oraInventory directory.
One system privileges group, dba, for Oracle Grid Infrastructure, Oracle ASM and Oracle Database system privileges. Members who have the dba group as their primary or secondary group are granted operating system authentication for OSASM/SYSASM, OSDBA/SYSDBA, OSOPER/SYSOPER, OSBACKUPDBA/SYSBACKUP, OSDGDBA/SYSDG, OSKMDBA/SYSKM, OSDBA for ASM/SYSDBA for ASM, and OSOPER for ASM/SYSOPER for ASM to administer Oracle Clusterware, Oracle ASM, and Oracle Database, and are granted SYSASM and OSOPER for ASM access to the Oracle ASM storage.
An Oracle Grid Infrastructure for a cluster owner, or Grid user (grid), with the oraInventory group (oinstall) as its primary group, and with the OSASM group (dba) as the secondary group, with its Oracle base directory /u01/app/grid.
An Oracle Database owner (oracle) with the oraInventory group (oinstall) as its primary group, and the OSDBA group (dba) as its secondary group, with its Oracle base directory /u01/app/oracle.
/u01/app owned by grid:oinstall with 775 permissions before installation, and by root after the root.sh script is run during installation. This ownership and permissions enables OUI to create the Oracle Inventory directory, in the path /u01/app/oraInventory.
/u01 owned by grid:oinstall before installation, and by root after the root.sh script is run during installation.
/u01/app/12.1.0/grid owned by grid:oinstall with 775 permissions. These permissions are required for installation, and are changed during the installation process.
/u01/app/grid owned by grid:oinstall with 775 permissions before installation, and 755 permissions after installation.
/u01/app/oracle owned by oracle:oinstall with 775 permissions.
Note:
You can use one installation owner for both Oracle Grid Infrastructure and any other Oracle installations. However, Oracle recommends that you use separate installation owner accounts for each Oracle software installation.This section contains an example of how to create role-allocated groups and users that is compliant with an Optimal Flexible Architecture (OFA) deployment.
This example illustrates the following scenario:
An Oracle Grid Infrastructure installation
Two separate Oracle Database installations planned for the cluster, DB1 and DB2
Separate installation owners for Oracle Grid Infrastructure, and for each Oracle Database
Full role allocation of system privileges for Oracle ASM, and for each Oracle Database
Oracle Database owner oracle1 granted the right to start up and shut down the Oracle ASM instance
Create groups and users for a role-allocated configuration for this scenario using the following commands:
# groupadd -g 1000 oinstall # groupadd -g 1020 asmadmin # groupadd -g 1021 asmdba # groupadd -g 1031 dba1 # groupadd -g 1041 dba2 # groupadd -g 1022 asmoper # useradd -u 1100 -g oinstall -G asmadmin,asmdba grid # useradd -u 1101 -g oinstall -G dba1,asmdba oracle1 # useradd -u 1102 -g oinstall -G dba2,asmdba oracle2 # mkdir -p /u01/app/11.2.0/grid # mkdir -p /u01/app/grid # chown -R grid:oinstall /u01 # mkdir -p /u01/app/oracle1 # chown oracle1:oinstall /u01/app/oracle1 # mkdir -p /u01/app/oracle2 # chown oracle2:oinstall /u01/app/oracle2 # chmod -R 775 /u01
After running these commands, you have a set of administrative privileges groups and users for Oracle Grid Infrastructure, and for two separate Oracle databases (DB1 and DB2):
An Oracle central inventory group, or oraInventory group (oinstall), whose members that have this group as their primary group. Members of this group are granted the OINSTALL system privileges, which grants permissions to write to the oraInventory directory, and other associated install binary privileges.
An OSASM group (asmadmin), associated with Oracle Grid Infrastructure during installation, whose members are granted the SYSASM privileges to administer Oracle ASM.
An OSDBA for ASM group (asmdba), associated with Oracle Grid Infrastructure storage during installation. Its members include grid and any database installation owners, such as oracle1 and oracle2, who are granted access to Oracle ASM. Any additional installation owners that use Oracle ASM for storage must also be made members of this group.
An OSOPER for ASM group for Oracle ASM (asmoper), associated with Oracle Grid Infrastructure during installation. Members of asmoper group are granted limited Oracle ASM administrator privileges, including the permissions to start and stop the Oracle ASM instance.
An Oracle Grid Infrastructure installation owner (grid), with the oraInventory group (oinstall) as its primary group, and with the OSASM (asmadmin) group and the OSDBA for ASM (asmdba) group as secondary groups.
/u01/app/oraInventory. The central inventory of Oracle installations on the cluster. This path remains owned by grid:oinstall, to enable other Oracle software owners to write to the central inventory.
An OFA-compliant mount point /u01 owned by grid:oinstall before installation, so that Oracle Universal Installer can write to that path.
An Oracle base for the grid installation owner /u01/app/grid owned by grid:oinstall with 775 permissions, and changed during the installation process to 755 permissions.
A Grid home /u01/app/12.1.0/grid owned by grid:oinstall with 775 (drwxdrwxr-x) permissions. These permissions are required for installation, and are changed during the installation process to root:oinstall with 755 permissions (drwxr-xr-x).
An Oracle Database software owner (oracle1), which owns the Oracle Database binaries for DB1. The oracle1 user has the oraInventory group as its primary group, and the OSDBA group for its database (dba1) and the OSDBA for ASM group for Oracle Grid Infrastructure (asmdba) as secondary groups. In addition the oracle1 user is a member of asmoper, granting that user privileges to start up and shut down Oracle ASM.
An OSDBA group (dba1). During installation, you identify the group dba1 as the OSDBA group for the database installed by the user oracle1. Members of dba1 are granted the SYSDBA privileges for the Oracle Database DB1. Users who connect as SYSDBA are identified as user SYS on DB1.
An OSBACKUPDBA group (backupdba1). During installation, you identify the group backupdba1 as the OSDBA group for the database installed by the user oracle1. Members of backupdba1 are granted the SYSBACKUP privileges for the database installed by the user oracle1 to back up the database.
An OSDGDBA group (dgdba1). During installation, you identify the group dgdba1 as the OSDGDBA group for the database installed by the user oracle1. Members of dgdba1 are granted the SYSDG privileges to administer Oracle Data Guard for the database installed by the user oracle1.
An OSKMDBA group (kmdba1). During installation, you identify the group kmdba1 as the OSKMDBA group for the database installed by the user oracle1. Members of kmdba1 are granted the SYSKM privileges to administer encryption keys for the database installed by the user oracle1.
An OSOPER group (oper1). During installation, you identify the group oper1 as the OSOPER group for the database installed by the user oracle1. Members of oper1 are granted the SYSOPER privileges (a limited set of the SYSDBA privileges), including the right to start up and shut down the DB1 database. Users who connect as OSOPER privileges are identified as user PUBLIC on DB1.
An Oracle base /u01/app/oracle1 owned by oracle1:oinstall with 775 permissions. The user oracle1 has permissions to install software in this directory, but in no other directory in the /u01/app path.
An Oracle Database software owner (oracle2), which owns the Oracle Database binaries for DB2. The oracle2 user has the oraInventory group as its primary group, and the OSDBA group for its database (dba2) and the OSDBA for ASM group for Oracle Grid Infrastructure (asmdba) as secondary groups. However, the oracle2 user is not a member of the asmoper group, so oracle2 cannot shut down or start up Oracle ASM.
An OSDBA group (dba2). During installation, you identify the group dba2 as the OSDBA group for the database installed by the user oracle2. Members of dba2 are granted the SYSDBA privileges for the Oracle Database DB2. Users who connect as SYSDBA are identified as user SYS on DB2.
An OSBACKUPDBA group (backupdba2). During installation, you identify the group backupdba2 as the OSDBA group for the database installed by the user oracle2. Members of backupdba2 are granted the SYSBACKUP privileges for the database installed by the user oracle2 to back up the database.
An OSDGDBA group (dgdba2). During installation, you identify the group dgdba2 as the OSDGDBA group for the database installed by the user oracle2. Members of dgdba2 are granted the SYSDG privileges to administer Oracle Data Guard for the database installed by the user oracle2.
An OSKMDBA group (kmdba2). During installation, you identify the group kmdba2 as the OSKMDBA group for the database installed by the user oracle2. Members of kmdba2 are granted the SYSKM privileges to administer encryption keys for the database installed by the user oracle2.
An OSOPER group (oper2). During installation, you identify the group oper2 as the OSOPER group for the database installed by the user oracle2. Members of oper2 are granted the SYSOPER privileges (a limited set of the SYSDBA privileges), including the right to start up and shut down the DB2 database. Users who connect as OSOPER privileges are identified as user PUBLIC on DB2.
An Oracle base /u01/app/oracle2 owned by oracle1:oinstall with 775 permissions. The user oracle2 has permissions to install software in this directory, but in no other directory in the /u01/app path.
On the HP-UX platform, if you intend to install Oracle Database or Oracle Real Application Clusters on Oracle Grid Infrastructure, then use the following procedure to create an external jobs user account to provide a low-privilege user with which external jobs can be run:
Log in as root.
Create the unprivileged user extjob. For example:
# useradd extjob
You run the installer software with the Oracle Grid Infrastructure installation owner user account (oracle or grid). However, before you start the installer, you must configure the environment of the installation owner user account. Also, create other required Oracle software owners, if needed.
This section contains the following topics:
Procedure for Configuring Oracle Software Owner Environments
Preventing Installation Errors Caused by Terminal Output Commands
You must make the following changes to configure the Oracle Grid Infrastructure software owner environment:
Set the installation software owner user (grid, oracle) default file mode creation mask (umask) to 022 in the shell startup file. Setting the mask to 022 ensures that the user performing the software installation creates files with 644 permissions.
Set ulimit settings for file descriptors and processes for the installation software owner (grid, oracle)
Set the software owner's environment variable DISPLAY environment variables in preparation for the Oracle Grid Infrastructure installation
Caution:
Use shell programs supported by your operating system vendor. If you use a shell program that is not supported by your operating system, then you can encounter errors during installation.To set the Oracle software owners' environments, follow these steps, for each software owner (grid, oracle):
Start a new terminal session; for example, start an X terminal (xterm).
Enter the following command to ensure that X Window applications can display on this system:
$ xhost + hostname
The hostname is the name of the local host.
If you are not already logged in to the system where you want to install the software, then log in to that system as the software owner user.
If you are not logged in as the user, then switch to the software owner user you are configuring. For example, with the grid user:
$ su - grid
To determine the default shell for the user, enter the following command:
$ echo $SHELL
Open the user's shell startup file in any text editor:
Bourne shell (sh) or Korn shell (ksh):
$ vi .profile
C shell (csh or tcsh):
% vi .login
Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:
umask 022
If the ORACLE_SID, ORACLE_HOME, or ORACLE_BASE environment variable is set in the file, then remove the appropriate lines from the file.
Save the file, and exit from the text editor.
To run the shell startup script, enter one of the following commands:
Bourne or Korn shell:
$ . ./.profile
C shell:
% source ./.login
Use the following command to check the PATH environment variable:
$ echo $PATH
Remove any Oracle environment variables.
If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:
Bourne or Korn shell:
$ DISPLAY=local_host:0.0 ; export DISPLAY
C shell:
% setenv DISPLAY local_host:0.0
In this example, local_host is the host name or IP address of the system to use to display OUI (your workstation or PC).
If the /tmp directory has less than 7 GB of free disk space, then identify a file system with at least 7 GB of free space and set the TEMP and TMPDIR environment variables to specify a temporary directory on this file system:
Note:
You cannot use a shared file system as the location of the temporary file directory (typically/tmp) for Oracle RAC installation. If you place /tmp on a shared file system, then the installation fails.Use the bdf command to identify a suitable file system with sufficient free space.
If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:
$ su - root # mkdir /mount_point/tmp # chmod a+wr /mount_point/tmp # exit
Enter commands similar to the following to set the TEMP and TMPDIR environment variables:
Bourne or Korn shell:
$ TEMP=/mount_point/tmp $ TMPDIR=/mount_point/tmp $ export TEMP TMPDIR
C shell:
% setenv TEMP /mount_point/tmp % setenv TMPDIR /mount_point/tmp
Enter the following command to ensure that the ORACLE_HOME and TNS_ADMIN environment variables are not set:
Bourne or Korn shell:
$ unset ORACLE_HOME $ unset TNS_ADMIN
C shell:
% unsetenv ORACLE_HOME % unsetenv TNS_ADMIN
Note:
If the ORACLE_HOME environment variable is set, the Installer uses the value that it specifies as the default path for the Oracle home directory. However, if you set the ORACLE_BASE environment variable, Oracle recommends that you unset the ORACLE_HOME environment variable and choose the default path suggested by the Installer.If you are on a remote terminal, and the local node has only one visual (which is typical), then use the following syntax to set the DISPLAY environment variable:
Bourne, Korn, and Bash shells
$ export DISPLAY=hostname:0
C shell:
$ setenv DISPLAY hostname:0
For example, if you are using the Bash shell, and if your host name is node1, then enter the following command:
$ export DISPLAY=node1:0
To ensure that X11 forwarding does not cause the installation to fail, create a user-level SSH client configuration file for the Oracle software owner user, as follows:
Using any text editor, edit or create the software installation owner's ~/.ssh/config file.
Ensure that the ForwardX11 attribute in the ~/.ssh/config file is set to no. For example:
Host *
ForwardX11 no
Ensure that the permissions on the ~/.ssh are secured to the Grid user. For example:
$ ls -al .ssh total 28 drwx------ 2 grid oinstall 4096 Jun 21 2012 drwx------ 19 grid oinstall 4096 Jun 21 2012 -rw-r--r-- 1 grid oinstall 1202 Jun 21 2012 authorized_keys -rwx------ 1 grid oinstall 668 Jun 21 2012 id_dsa -rwx------ 1 grid oinstall 601 Jun 21 2012 id_dsa.pub -rwx------ 1 grid oinstall 1610 Jun 21 2012 known_hosts
During an Oracle Grid Infrastructure installation, OUI uses SSH to run commands and copy files to the other nodes. During the installation, hidden files on the system (for example, .bashrc or .cshrc) will cause makefile and other installation errors if they contain stty commands.
To avoid this problem, you must modify these files in each Oracle installation owner user home directory to suppress all output on STDOUT or STDERR (for example, stty, xtitle, and other such commands) as in the following examples:
Bourne, Bash, or Korn shell:
if [ -t 0 ]; then stty intr ^C fi
C shell:
test -t 0 if ($status == 0) then stty intr ^C endif
Note:
When SSH is not available, the Installer uses theremsh commands instead of ssh and scp.
If there are hidden files that contain stty commands that are loaded by the remote shell, then OUI indicates an error and stops the installation.
Intelligent Platform Management Interface (IPMI) provides a set of common interfaces to computer hardware and firmware that system administrators can use to monitor system health and manage the system. Oracle Clusterware can integrate IPMI to provide failure isolation support and to ensure cluster integrity.
Oracle Clusterware does not currently support the native IPMI driver on HP-UX, so OUI does not collect the administrator credentials, and CSS is unable to obtain the IP address. You must configure failure isolation manually by configuring the BMC with a static IP address before installation, and using crsctl to store the IP address and IPMI credentials after installation.
This section contains the following topics:
See Also:
Oracle Clusterware Administration and Deployment Guide for information about how to configure IPMI after installationYou must have the following hardware and software configured to enable cluster nodes to be managed with IPMI:
Each cluster member node requires a Baseboard Management Controller (BMC) running firmware compatible with IPMI version 1.5 or greater, which supports IPMI over LANs, and configured for remote control using LAN.
Each cluster member node requires an IPMI driver installed on each node.
The cluster requires a management network for IPMI. This can be a shared network, but Oracle recommends that you configure a dedicated network.
Each cluster member node's Ethernet port used by BMC must be connected to the IPMI management network.
Each cluster member must be connected to the management network.
Some server platforms put their network interfaces into a power saving mode when they are powered off. In this case, they may operate only at a lower link speed (for example, 100 MB, instead of 1 GB). For these platforms, the network switch port to which the BMC is connected must be able to auto-negotiate down to the lower speed, or IPMI cannot function properly.
Note:
IPMI operates on the physical hardware platform through the network interface of the baseboard management controller (BMC). Depending on your system configuration, an IPMI-initiated restart of a server can affect all virtual environments hosted on the server. Contact your hardware and OS vendor for more information.On HP-UX platforms, the BMC shares configuration information with the management processor (iLO). For Oracle Clusterware, you must configure the ilO/BMC for static IP addresses. Configuring the BMC with dynamic addresses (DHCP) is not supported on HP-UX.
Note:
If you configure IPMI, and you use Grid Naming Service (GNS) you still must configure separate addresses for the IPMI interfaces. As the IPMI adapter is not seen directly by the host, the IPMI adapter is not visible to GNS as an address on the host.On each node, complete the following steps to configure the BMC to support IPMI-based node fencing:
Configure a static IP address for the BMC.
Set a password for the null (noname) account for the BMC.
On HP-UX, the BMC and the iLO share network configuration. They have the same IP address, the same hardware MAC address, and the same default gateway address.
If your iLO processor is already configured for network access using a static address, then you have already established the required BMC network configuration. If you have not set up a static address for the iLO, then you must set a static address, and note the address so that you can enter it into the Oracle Clusterware local registry after installation.
You must also set up a password for the null (noname) user account, as this is the single account that the BMC uses. Administration accounts in the iLO are unrelated to the BMC. For security reasons, Oracle requires that you set a password for the BMC account.
Refer to your HP-UX documentation for more information about how to configure the BMC. Ensure that the BMC is configured on each cluster member node.
To configure IPMI in the iLO processor on HP platforms, and to set a password for the null (noname user), complete the following procedure:
Log in to the iLO web interface, and configure the required network settings for the iLO and BMC under Administration, then Network Settings to obtain the IP address, and to check the netmask and default gateway.
Start a terminal session from a device with network connectivity to the BMC of the node to configure.
From the terminal session, set the IPMI password for the anonymous user (noname) over the network, using an IPMI administration tool, such as ipmitool from a client or server connected to the note whose user password you want to change. For example, where ipmiaddr is the IPMI address, and password is the password:
% ipmitool -H ipmiaddr -U "" user set password 1 "password"
Note that in this example, the anonymous username is being provided explicitly using -U "" for clarity, but it is implied if the username argument is missing. This command prompts for the current password, which can be the initial null password. If the password is successfully changed, then the command prints an error similar to: "Close session command failed." This message is printed because the command attempts to terminate the IPMI network session using the previous password.
Note:
It is not possible to set the password for the IPMI administrator account using the Local Accounts web interface page.After you configure the BMC on each cluster member node, and have completed Oracle Grid Infrastructure installation, you must store the IPMI administrator credentials and the BMC static IP address in the Oracle Local Registry (OLR) on each cluster member node. Use crsctl to do this, as described in Section 8.2.1, "Configuring IPMI-based Failure Isolation Using Crsctl." However, when you store the IPMI credentials in the OLR, you must have the anonymous user specified explicitly, or a parsing error will be reported:
% crsctl set css ipmiadmin ""
When prompted, provide the password you set with the IPMI administrator tool.
During Oracle Grid Infrastructure installation, the installer requires you to run scripts with superuser (or root) privileges to complete a number of system configuration tasks.
You can continue to run scripts manually as root, or you can delegate to the installer the privilege to run configuration steps as root, using one of the following options:
Use the root password: Provide the password to the installer as you are providing other configuration information. The password is used during installation, and not stored. The root user password must be identical on each cluster member node.
To enable root command delegation, provide the root password to the installer when prompted.
Use Sudo: Sudo is a UNIX and Linux utility that allows members of the sudoers list privileges to run individual commands as root.
To enable Sudo, have a system administrator with the appropriate privileges configure a user that is a member of the sudoers list, and provide the username and password when prompted during installation.
The Oracle base directory for the grid installation owner is the location where diagnostic and administrative logs, and other logs associated with Oracle ASM and Oracle Clusterware are stored.
If you have created a path for the Oracle Clusterware home that is compliant with Oracle Optimal Flexible Architecture (OFA) guidelines for Oracle software paths then you do not need to create an Oracle base directory. When OUI finds an OFA-compliant path, it creates the Oracle base directory in that path.
For OUI to recognize the path as an Oracle software path, it must be in the form u[00-99]/app, and it must be writable by any member of the oraInventory (oinstall) group. The OFA path for the Oracle base is /u01/app/user, where user is the name of the software installation owner.
Oracle recommends that you create an Oracle Grid Infrastructure Grid home and Oracle base homes manually, particularly if you have separate Oracle Grid Infrastructure for a cluster and Oracle Database software owners, so that you can separate log files.
For example:
# mkdir -p /u01/app/11.2.0/grid # mkdir -p /u01/app/grid # mkdir -p /u01/app/oracle # chown grid:oinstall /u01/app/11.2.0/grid # chown grid:oinstall /u01/app/grid # chown oracle:oinstall /u01/app/oracle # chmod -R 775 /u01/ # chown -R grid:oinstall /u01
Note:
Placing Oracle Grid Infrastructure for a Cluster binaries on a cluster file system is not supported.